What is the most boring subject in IT? Many topics come to mind, but few would argue that disaster recovery (DR) and business continuity would be high on the list. It is a dry subject. It was dry back in 1999 when everyone was anticipating Y2K, and I don’t imagine anyone thinks it’s less dry today.
Just about every profession has its boring, fundamental practices that no one likes to do, but that must be done. Take basketball, for example. At the college or professional level, you would think players would be experts at shooting free throws and layups. Yet they practice them all the time (and I do mean all the time). Those are two of the most basic shots in the game. But how many games are lost on missed free throws? Too many to count. Anyone catch the final game of the NCAA tournament this year? Presumably the best two teams in all of college basketball, yet the losing team missed more layups than a junior high-school team on a bad day. It was painful, even embarrassing, to watch. The result was a blowout the likes of which has never been seen in NCAA tournament history.
The same happens when organizations don’t pay attention to DR and BCP, and the infamous Murphy (as in Murphy’s Law) comes to collect. As boring as planning and preparing for the unthinkable may be, there are real consequences if a customer can’t get through to technical support when a mission-critical application is down and paying customers are dropping like flies. It’s not optional.
A few years ago, the multicampus company I was working for in Denver established contingency plans for the unlikely event that one of our buildings lost power or suffered a catastrophe that prevented people from entering the building. We set up alternate workspaces in each of our buildings, with extra PCs and phones that would enable employees to perform critical functions in the event of an emergency at one of our other sites. Then it happened. A spring storm dumped three feet of snow and gridlocked the city for forty-eight hours. No one could get to one of our key operations centers. Not a problem: We had set up alternate sites. But no one could get to any of those buildings either. Our mortgage clients in balmy Florida and sunny southern California had little sympathy for our plight when they couldn’t issue financial instruments for closings that day. What we should have done was issue laptops to critical staff and enabled VPN access to our network so they could work remotely from their homes. The technology existed at the time, but few people were taking advantage of it. Our planning was inadequate. We knew it snowed in Denver, but we didn’t take the possibility seriously enough and suffered grave consequences as a result.
I have heard it said that DR is the responsibility of the IT organization and BCP is the responsibility of the business units. But DR and BCP go hand in hand. There is no business continuity without good disaster recovery plans, procedures, and infrastructure, and there can be no disaster recovery without good business continuity planning. I see it as a single discipline: DR-BCP.
Across the organization, leaders must take DR-BCP seriously and implement adequate plans. According to the 2010 HDI Practices & Salary Report, business continuity sits at the bottom of the list, with 16 percent reporting that they have implemented this ITIL process in their organizations. After financial management, it is the least-followed process. A 2009 study by InformationWeek Analytics reported similar results, with 17 percent of survey respondents indicating that their organizations had no DR-BCP plans, while 20 percent are still working on their strategies.[1]
Nearly fifteen years after participating in my first impact analysis, this is truly alarming. With those statistics, it seems there has not been nearly enough focus on the subject. Where does your organization stand? Are you among the 20 percent still working on a strategy? Is that code for “we’ll do something when we get around to it”? At my former company, we thought we had performed good BCP. We were kidding ourselves. Google, Amazon, and Facebook have all made headlines recently over critical system failures that impacted consumers.[2] Will your company be next?
It is not enough to create a plan and assume that you’re done. Plans should be reviewed on a regular basis and updated as the business and technology evolves. Have you moved any of your computing infrastructure to the cloud lately? Could that have an impact on the plan your organization created six years ago?
DR-BCP is critical to service desk and technical support groups. After all, isn’t the service desk a business function? When something goes wrong, it’s going to be right in the middle of dealing with it. And if the service desk doesn’t plan for business continuity, it may be subject to the same catastrophic failures as its business counterparts. As the champion of service management, it is imperative that service desk and technical support organizations are directly involved in all aspects of this core discipline and champion the cause. Practice the fundamentals. You can’t take shortcuts. There is far too much at stake. Boring? Sure. Optional? Never.
Craig Baxter is HDI’s global brand manager, responsible for providing general oversight and management. His background is in software development, IT management, technical support desk, call center solutions, and operations. Prior to joining HDI, he held various positions at First Data Corp., MCI, Softech, and the US Air Force. Craig earned his BSE in electrical engineering from Northern Arizona University and his MS in computer science from Chapman University.